Cisco VPN :: ASA 8.4 LDAP Group To ASA Group Policy Mapping?
Jul 31, 2012
I try to map LDAP Group to ASA Group policy following documentation:
[URL]
This is a config for ASA 8.0. I would have expected it to work on 8.4 as well but I do run into problems. The mapping as shown in LDAP Debug and ASA Log will actually happen but it is overwritten by the "GPnoAccess" Group Policy configured locally in the Tunnel Group. From earlier works with RADIUS I would have expected the user specific Attribute to be "stronger"?
ASA Log:
AAA retrieved user specific group policy (correct Policy) for user = XXX
AAA retrieved default group policy (GPnoAccess) for user = XXX
View 3 Replies
ADVERTISEMENT
Dec 21, 2012
I have a working ASA 5505 that is used for remote access. It authenticates users via RADIUS (Microsoft AD using two IAS servers), it also authorises users via LDAP and it does some LDAP attribute mapping to get group membership for DAP. This is all working fine however recently I enabled IPv6 to do some testing. I have a /126 subnet on the Inside interface (maps to its equivalent /30 IPv4 subnet) and OSPFv3 running so the ASA has visibility of the internal IPv6 networks. DNS client is enabled in the ASA and all the authentication servers are entered as hostnames. The two RADIUS servers only have A records and the two LDAP servers (Windows DC's) have both A and AAAA records. My plan was to begin test IPv6 on the AnyConnect VPN clients (once I was happy the ASA was working fine with IPv6).
When I initially enabled IPv6 everything continued to work as before, however I had to reboot the ASA today and after it all came back up authorisation stopped working. I did a bit of troubleshooting and the ASA is complaining of not being able to resolve the addresses of the two LDAP servers. From the CLI I can ping the hostnames and the LDAP servers resolve to IPv6 addresses and the RADIUS servers resolve to IPv4 addresses. When I issue the command 'show aaa-server LDAP' (LDAP is the name of the group) I see the servers listed but the address displays 0.0.0.0:
Prior to the reboot both the LDAP servers were showing thier addresses (IPv4) correctly. I can workaround it by disabling IPv6 on the ASA, letting it lookup the (IPv4) addresses of the LDAP servers (so they appear in the 'Server Address:' field above) and then re-enabling IPv6. Strangely deleting and re-adding the servers just with their IPv4 addresses also fails but I haven't fully tested this. I don't know but I think I would have the same behaviour if the RADIUS servers also had AAAA records.
I assume when IPv6 is enabled on the ASA it will perform AAAA lookups as well as A lookups but the LDAP client cannot use IPv6? Just guessing at the moment as I haven't managed to get a LAN capture. [code]
View 1 Replies
View Related
May 18, 2011
I have a new Cisco Secure ACS 5.2 on a VM. We want to use it to for administrative access to our Cisco equipment with TACACS+. I am trying to map user permissions to different groups of devices based on active directory group membership, however it is not working.
I am using an LDAP (configured for secure authentication) external identity store. On the directory organization tab, I have confirmed the accuracy of the subject and group search base and the test configuration button shows that it's finding > 100 users and >100 groups.
On the directory groups page I have entered the groups according to the required format. cn=groupname1,ou=groups,dc=abc,dc=com
I have a rule based result selection under group mapping. I have two rules in the format below.
Conditon
LDAP:Externalgroups groupname1
Result
Identitygroup1
I have the default group set to a identity group named other. My problem is, no matter what user attempts to authenticate, the Default rule is applied, and the user is put into the other identity group.This occurs when I log on as a groupname1 user, groupname2 user, or as user that is not a member of either of those groups. LDAP authentication works and the user is able to logon to the device.
View 3 Replies
View Related
Apr 7, 2011
We have ACS 4.2 and has been integrated with AD. Now, a new user group has been added in AD but we are not able to see that new AD group in ACS to do the mapping. We have refreshed the sgent in ACS and also have restarted the ACS agent in AD. But still we rae not able to fetch the new AD group in ACS in group mapping.any way to fetch the new group in ACS from AD.
View 1 Replies
View Related
Apr 30, 2012
I am configuring a new ACS 5.3 system. Part of the rules is that I want to match the users specific AD group membership, and match appropriatly to an identity group.What i'm trying to do is say that if the user is a member of the AD Group (G-CRP-SEC-ENG) then associate them with the Identity Group SEC-ENG. The under the access service, authorization portion, i assign shell profiles and command sets based on Identity Group.It seems that the ACS server will not match the AD Group for the user, and it will match the Default of teh Group Mapping portion of the policy every time.
I tried several configuration choices from : AD1:ExternalGroups contains any <string showing in AD>, AD1:memberOf <group>.Is there something special i need to do in the Group Mapping Policy to get it to match and active directory group and result in assigning the host to an Identity Group?
View 7 Replies
View Related
Sep 12, 2012
We are using ACS 4.2.1.15 with patch 8 on ACS 1113 SE box.
Our requirement is to assign ACS loal group to user on basis of windows Nt group. Which means I dont wants to create individual users in ACS rather when user will login, the auth request will be forwarded to AD(remote database). Depeneding on the remote database group the user should be mapped to local database.
For this I have configured "database group mapping" according to following cisco guide. [URL]
However when ever my AD users are authenticating they are getting the membership of default group as configured in "Default" profile. I am using TACACS+ protocol in my routers and switches for authentication.
whether "Group mapping by External user database" works with TACACS+ or only with RADIUS protocol. If it works with TACACS+ what else configuration need to be done so that my ACS can map users to proper groups instead of default group.
View 4 Replies
View Related
May 9, 2012
I have a problem where occasionally a user will attempt to login and the LDAP search will find the user but then fail when it does the group search. The error I get is below
22037 Authentication Passed
22023 Proceed to attribute retrieval
24032 Sending request to secondary LDAP server
24016 Looking up user in LDAP Server - testuser
24004 User search finished successfully
24027 Groups search ended with an error
24034 Secondary server failover. Switching to primary server
24031 Sending request to primary LDAP server
24016 Looking up user in LDAP Server - testuser
24004 User search finished successfully
24027 Groups search ended with an error
22059 The advanced option that is configured for process failure is used.
22062 The 'Drop' advanced option is configured in case of a failed authentication request.
Some users never get this error, others will get it once in a while and I have one user that gets it every time they try and login.
View 3 Replies
View Related
Feb 18, 2011
dell 3000 xl os 149gb I set up a home office. to try to transfer files to my new one.oce i found out you can't do it. there was a group policy in place.how do i get rid of it. it's interfering with a lot of stuff, including my firewall. had to buy another.
View 3 Replies
View Related
Apr 19, 2010
I'm actually require authentication for users who are coming from the PublicVLAN (the vlan associated with the wireless hotspot) to authenticate themself to the LDAP server via my firewall ASA 5510
View 12 Replies
View Related
Feb 1, 2011
how to disable usb using group policy
View 1 Replies
View Related
Oct 4, 2011
I want to block a website timely using group policy on window server 2008.
View 1 Replies
View Related
Feb 10, 2011
I have a Cisco ASA (8.2) with several group-policies setup. By default, I can hit the SSL page, and have a selection of available group-policies for a user to login to. I want to have different ACLs for each group, to go along with the subnet that each particular group hands out. Right now, as long as a user is authenticated through AAA, they can log in to any group they select, and therefore, have more permissions than another group.
I know how to hide the list, but I need to be able to assign a specific group to a user based on an attribute in ACS.
I've setup ACS to use the "CVPN3000/ASA/PIX7.x-Tunnel-Group-Lock" Atttribute, to which I match the group-policy name in the ASA, to the attribute on the user account in ACS.This doesn't seem to work, and it just throws the user into DfltGrpPlcy, which doesn't give the user anything. So it's either wide-open, or it's broken.
I'm using RADIUS authentication and not TACACS, so it should retrieve the attributes, and according to the ACS, it grabs the attribute during the authentication process.
View 1 Replies
View Related
May 27, 2011
I have 4-5 machines connected to each other in network which are in workgroup. Now I want to change one group policy on remote machine. The name of that policy is " Network access: sharing and security model for the local accounts :- Guest only" . How can I change this policy from remotely?
View 1 Replies
View Related
Oct 5, 2012
Is it possible via Group Policy to prevent the domain computers from automatically creating default favorites when the users log in? Currently on the Favorites Bar it creates "Web Slice Gallery" and "Suggested Sites", as well as a "Websites for United Kingdom" folder. The domain controller is running Windows Server 2008 R2, and the clients are running Windows 7.
View 4 Replies
View Related
Nov 20, 2012
I have configured ASA 5510 With IPsec Remote VPN.With local database users(Users are created in ASA).
Internal network has 4 VLANS. Need solution for below.
There are 25 Users created in ASA. where only 5 tp 6 users wants to grant access to Particualr IP and Subnets and rest of the users can access entire lan.
Is it possible to configure Group policy in ASA for IPsec Remote VPN.
View 1 Replies
View Related
Jun 16, 2012
How to check applied group policy on the domain clients
View 1 Replies
View Related
Nov 25, 2012
How to limit maximum SSL VPN sessions per group-policy on ASA5510?
There are 2 group-policy: in one maximum of 10 connections, in the second - 15 (In total licenses for SSL VPN 25 connections).
View 5 Replies
View Related
Mar 31, 2013
I am interested in knowing how to check on my 2003 Server what usernames are blocked from downloading. Many of the clients seemed to have downloaded Google Talk and also Spotify. I was wondering if I can check -where it is located and how to enforce this policy. (or create it if it isn't in effect correctly)
View 2 Replies
View Related
Apr 28, 2012
installing the Cisco NAC agent through the Active Directory Group Policy. (Windows 2008 R2)Currently Cisco NAC CAS servers has been installed, configured and the switches are added. But the ports are not active. Currently users are not passing through the NAC. When the ports are active and the users trying to access the network, the browser will ask the users to install the Cisco NAC Agent.I need t by pass this by installing the Cisco NAC agent through the active directory Group Policy. How to install the Cisco NAC agent (4.9.1) to all the users in the Network (Windows XP / 7 )through Active Directory so that the users will not know that the Cisco NAC agent has been installed in their computers. By this way the users need not install the Cisco NAC agent through the Web browser and will just login their user name and password and get into the network.
View 1 Replies
View Related
Sep 29, 2011
I'm running a Windows Server 2008 Enterprise Edition server that is currently the domain controller, and a Windows 7 Ultimate client. I have a 'Test' user for messing around with group policy - anyway, on the client Start Menu it has 'Test User' which leads to some form of libraries folder. Is it possible to restrict the link without removing their name?
View 3 Replies
View Related
Nov 29, 2010
When you use Group Policy to determine whether a link is fast or slow, fast links may be incorrectly flagged as slow links.
This problem may occur when a network that you are trying to detect a slow link to is configured to control the size and flow of Internet Control Message Protocol (ICMP) packets. For example, if a router allows for only ICMP ping packets that have a size of 1,024 bytes, the slow-link detection feature may flag the connection as a slow link. This is because the router discards ICMP packets that are larger than 1,024 bytes. If the router discards the packet because it exceeds the allowed size, fast links may be reported as slow links.
According to Microsoft, the default ICMP ping packet size of 2048 is used.Microsoft recommends changing every single Windows machine's ICMP size...but my customer would rather just change the router. It is a 2821 router, running 12.4(24)T4, using MLPPP to bundle two T1s.
View 4 Replies
View Related
May 1, 2012
how to associate an AD group - which i have defined in users and identity stores/external identity stores/Active Directory/Directory attributes to associate with the relevant identity groups - Users and identity stores/identity groups Is there an example of this being done somewhere as i am having problems understanding how to do this from the user guide.All i want to do is associate identity groups with ad groups.
View 3 Replies
View Related
Feb 28, 2013
I've configure Ldap authentication on ASA 5545 to allow only a certain user group. I mapped the the memberOf group but this seems not to be working as it allows all AD users. [code]
View 1 Replies
View Related
May 2, 2011
how to map my command shells that I created to the access policies under Default Device Admin/Authorization. All I get an option for is Shell Profile but not commands. See attached doc.ACS 4.2 was easy.. I would just create a command set and apply to a group.
View 5 Replies
View Related
Jan 7, 2012
I have been using aes 256 with dh group 2 and pfs group 2 for my site to site vpn tunnels.Now I am considering modifying the dh groups both for p1 and pfs to group 5 or keep it group 2.Is this a must to have dh group 5 with aes 256 or having dh group 2 with aes 256 is also common ?
View 1 Replies
View Related
May 23, 2011
We have two 4404's and WCS. The 4404's are almost maxed out. We have an addition 4404 which we would like to add to the group of 4404's
View 1 Replies
View Related
Apr 26, 2011
I'm trying to set a VPN connection to a router using group authorization with the ACS 5.2 but cannot make it work. I configured everything based on the procedure used for ACS 4.2. I created a user that corresponds to the group name, used the password cisco and used all the requiered Cisco AV pairs in an authorization profile. (Based on document: [URL]
While testing with ACS 4.2 this works fine, I can see that the ACS returns the group attibutes correctly (here is a debug output)
Apr 9 16:16:59.256: RADIUS: Received from id 1645/22 192.168.1.212:1645, Access-Accept, len 203Apr 9 16:16:59.256: RADIUS: authenticator 02 07 F5 E6 46 78 73 CA - 46 6D 47 90 FE 92 38 9AApr 9 16:16:59.256: RADIUS: Vendor, Cisco [26] 30 Apr 9
[Code].....
View 4 Replies
View Related
Aug 1, 2010
My remote VPN clients aren't able to do anything network wise once they have connected to the VPN. The ASA keeps coming up with "no translation group found" in the log.
Result of the command: "show running"
: Saved:ASA Version 7.2(2) !hostname ciscoasadomain-name office.propertyfinder.comenable password ######## encryptednamesdns-guard!interface GigabitEthernet0/0 description Office Network Interface nameif Office-LAN security-level 100 ip address 10.121.10.4 255.255.255.0 ospf cost 10!interface GigabitEthernet0/1 description 4Mbps BTNet Internet Connection nameif Internet-Primary security-level 0 ip address 213.121.253.33 255.255.255.248 ospf cost 10!interface GigabitEthernet0/2 shutdown no nameif no security-level no ip address!interface GigabitEthernet0/3 description Office Wireless Interface nameif Office-Wireless security-level 10 ip address 172.16.0.1 255.255.255.0 ospf cost 10!interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 ospf cost 10 management-only!passwd 2KFQnbNIdI.2KYOU encryptedboot system disk0:/asa722-k8.binftp mode passivedns domain-lookup Office-LANdns server-group DefaultDNS name-server 10.121.10.20 name-server 10.121.10.21 domain-name
[code]....
View 13 Replies
View Related
Sep 27, 2012
I Have an issue about AP Group.On my scenario, I have one Flex WLC 7510 using software version 7.0.220, And all APs are 1131.I have some sites with H-Reap, where H-Reap is configured properly.The Access Points are set with AP Group. AP Group is configured properly too. Each AP Group was configured for one site and was configured 2 SSIDs in each AP Group. All sites has 2 differents SSIDs.During some basic tests, in one site with 9 APs, I saw:
1. When the Access Points are registred on WLC, all APs are working fine. All APs has its 2 SSID added on slot 0 (radio 0)
2. If I disable the link between WLC and Access Points, 7 Access Points delete SSIDs on your AP Groups and replace it with 16 SSIDs (SSIDs on Default Group configured on WLC)
View 1 Replies
View Related
Feb 1, 2012
with LMS 4.1 Reporting in several areas it is possible with selecting devices to use 'Group Selector' (e.g. Syslog Severity Level Summary Report).Group Selector dynamically chooses devices in selected Group at Report runtime to get the latest devices.Not all Reports in LMS 4.1 provide this Group Selector, e.g. Best Practices Deviations/Discrepancies.Is that a bug? As DCR changes often (add/delete) we urgently need to dynamically perform reports to latest DCR-Population.
View 1 Replies
View Related
May 29, 2013
I am trying to issue command "ssh key-exchange group dhgroup14" on several of my ASA firewalls. The key-exchange command is failing on 3 of 4 ASA firewalls. According to Cisco documentation, this command was introducted in 8.4. My ASA's are running version 8.6.1.10, 9.1.1.8, 9.1.1.10 and 9.1.2. The command is available only with 9.1.2.
Example from one my ASA.
lbjinetfw# show version | in Version
Cisco Adaptive Security Appliance Software Version 8.6(1)10
Device Manager Version 7.1(2)
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4
lbjinetfw# config t
lbjinetfw(config)# ssh
[code]....
View 3 Replies
View Related
Jan 24, 2012
I scheduled a periodic job (for example the compliance check job) on week basis and I specified one user's device group for this job (for example the branch_routers group). All is working, but when new devices are added to this group (the branch_routers group), the scheduled job is not provided for these new devices. Is it the default behaviour? Can I change it?
View 1 Replies
View Related
May 22, 2012
I have a problem implementing a NAR for a specific device group. I am running Cisco ACS 4.2 and it works fine for all the other stuff I do but this issue is perplexing me a bit.
I have a device group with Juniper devices in it and I authenticate using RADIUS (Juniper) as the radius setting. I have a Administration user group set up.
I placed a NAR into the group "Per Group Defined Network Access Restrictions" specific to the device group with * for port and address
I placed this group into both the Define IP-Based as well as the Define CLI/DNIS-based section.
No matter what I do I keep getting authenticated.
When I go to the passed authentications page I see my login and the group-name is identified correctly and the network device group is identified correctly too. The filter says "no filters activated". So how can I get this NAR to kick in? I would like to restrict one device group from a ACS user group.
View 12 Replies
View Related
